CVE-2025-7684 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability identified in the Last.fm Recent Album Artwork plugin for WordPress, versions up to and including 1.0.2. The vulnerability stems from missing or incorrect nonce validation on the 'lastfm_albums_artwork.php' page, which is responsible for handling plugin settings updates. Nonces are security tokens used in WordPress to verify that requests originate from legitimate users and not from forged sources. Without proper nonce validation, attackers can craft malicious web requests that, when executed by an authenticated administrator (via clicking a link or visiting a malicious page), cause unauthorized changes to plugin settings or inject malicious scripts into the site. This attack vector does not require the attacker to be authenticated but does require user interaction from an administrator, making social engineering a key component. The vulnerability impacts the confidentiality and integrity of the affected WordPress site by enabling unauthorized configuration changes and potential script injection, though it does not affect availability. The CVSS 3.1 score of 6.1 reflects the network attack vector, low attack complexity, no privileges required, required user interaction, and a scope change due to potential impact beyond the vulnerable component. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in mid-July 2025 and published in August 2025 by Wordfence, a reputable security source. Organizations using this plugin should be aware of the risk and implement mitigations promptly.

The impact of CVE-2025-7684 can be significant for organizations running WordPress sites with the Last.fm Recent Album Artwork plugin. Successful exploitation allows attackers to modify plugin settings without authorization, potentially injecting malicious scripts that could lead to further compromise such as cross-site scripting (XSS), session hijacking, or redirecting users to malicious sites. This undermines the confidentiality and integrity of the website and its users' data. While availability is not directly affected, the injected scripts or altered settings could degrade user trust and site reputation. Since the attack requires tricking an administrator into clicking a link, organizations with less security awareness or inadequate user training are at higher risk. The vulnerability could be leveraged as a foothold for more extensive attacks on the web infrastructure or to distribute malware. Given WordPress's widespread use globally, the threat has a broad potential impact, especially on sites that rely on this plugin and do not have compensating controls.

To mitigate CVE-2025-7684, organizations should first check for updates or patches from the plugin vendor and apply them immediately once available. In the absence of an official patch, administrators should consider disabling or uninstalling the Last.fm Recent Album Artwork plugin to eliminate the attack surface. Implementing Web Application Firewall (WAF) rules to detect and block suspicious CSRF attempts targeting the plugin's endpoints can provide temporary protection. Administrators should also enforce strict user access controls and minimize the number of users with administrative privileges. Educating administrators about the risks of clicking untrusted links and employing browser security features that warn about CSRF risks can reduce successful exploitation likelihood. Additionally, site owners can implement custom nonce validation or security plugins that enforce nonce checks on all plugin actions. Regular security audits and monitoring for unusual configuration changes or injected scripts can help detect exploitation attempts early.